forked from ComplianceAsCode/content
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request ComplianceAsCode#6588 from JAORMX/cis-3.2
ocp4/CIS: Address 3.2
- Loading branch information
Showing
6 changed files
with
101 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
prodtype: ocp4 | ||
|
||
title: Ensure that the cluster's audit profile is properly set | ||
|
||
description: |- | ||
<p> | ||
OpenShift can audit the details of requests made to the API server through | ||
the standard Kubernetes audit capabilities. | ||
</p> | ||
<p> | ||
In OpenShift, auditing of the API Server is on by default. Audit provides a | ||
security-relevant chronological set of records documenting the sequence of | ||
activities that have affected system by individual users, administrators, or | ||
other components of the system. Audit works at the API server level, logging | ||
all requests coming to the server. Each audit log contains two entries: | ||
</p> | ||
<p> | ||
The request line containing: | ||
</p> | ||
<ul> | ||
<li>A Unique ID allowing to match the response line (see #2)</li> | ||
<li>The source IP of the request</li> | ||
<li>The HTTP method being invoked</li> | ||
<li>The original user invoking the operation</li> | ||
<li>The impersonated user for the operation (self meaning himself)</li> | ||
<li>The impersonated group for the operation (lookup meaning user's group)</li> | ||
<li>The namespace of the request or none</li> | ||
<li>The URI as requested</li> | ||
</ul> | ||
<p> | ||
The response line containing: | ||
</p> | ||
<ul> | ||
<li>The aforementioned unique ID</li> | ||
<li>The response code</li> | ||
</ul> | ||
<p> | ||
For more information on how to configure the audit profile, please visit | ||
{{{ weblink(link="https://docs.openshift.com/container-platform/4.6/security/audit-log-policy-config.html", | ||
text="the documentation") }}} | ||
</p> | ||
rationale: |- | ||
Logging is an important detective control for all systems, to detect potential | ||
unauthorised access. | ||
identifiers: | ||
cce@ocp4: CCE-83577-7 | ||
|
||
references: | ||
cis: 3.2.1,3.2.2 | ||
|
||
severity: medium | ||
|
||
warnings: | ||
- general: |- | ||
{{{ openshift_cluster_setting("/apis/config.openshift.io/v1/apiservers/cluster") | indent(4) }}} | ||
template: | ||
name: yamlfile_value | ||
vars: | ||
ocp_data: "true" | ||
filepath: /apis/config.openshift.io/v1/apiservers/cluster | ||
yamlpath: "spec.audit.profile" | ||
xccdf_variable: var_openshift_audit_profile |
2 changes: 2 additions & 0 deletions
2
applications/openshift/logging/audit_profile_set/tests/ocp4/e2e.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
--- | ||
default_result: PASS |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
documentation_complete: true | ||
|
||
prodtype: ocp4 | ||
|
||
title: 'OpenShift - Logging Settings' | ||
|
||
description: |- | ||
Contains evaluations for the cluster's logging configuration settings. |
19 changes: 19 additions & 0 deletions
19
applications/openshift/logging/var_openshift_audit_profile.var
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
documentation_complete: true | ||
|
||
title: 'Configure the OpenShift Audit Profile' | ||
|
||
description: |- | ||
Audit log profiles define how to log requests that come to the OpenShift | ||
API server, the Kubernetes API server, and the OAuth API server. | ||
|
||
type: string | ||
|
||
operator: equals | ||
|
||
interactive: false | ||
|
||
options: | ||
default: "Default" | ||
Default: "Default" | ||
WriteRequestBodies: "WriteRequestBodies" | ||
AllRequestBodies: "AllRequestBodies" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -98,7 +98,6 @@ CCE-83568-6 | |
CCE-83569-4 | ||
CCE-83570-2 | ||
CCE-83575-1 | ||
CCE-83577-7 | ||
CCE-83579-3 | ||
CCE-83581-9 | ||
CCE-83583-5 | ||
|